Sign up
Title:
Method and apparatus for monitoring functions of distributed data
United States Patent 8078710
Abstract:
This invention discloses continuous functional monitoring of distributed network activity using algorithms based on frequency moment calculations given by
Fpimip.
The frequency moment calculations are used to raise an alarm when a value exceeds a certain threshold. Frequency moments for p=0, 1, and 2 are described.


Inventors:
Cormode, Graham (Summit, NJ, US)
Yi, Ke (Kowloon, CN)
Application Number:
11/963005
Publication Date:
12/13/2011
Filing Date:
12/21/2007
Assignee:
AT&T Intellectual Property I, LP (Atlanta, GA, US)
Primary Class:
Other Classes:
709/224
International Classes:
G06F15/173
Field of Search:
709/224, 709/223, 707/1, 707/2, 707/9, 707/103
View Patent Images:
Primary Examiner:
Nguyen, Tina
Attorney, Agent or Firm:
Hoffmann & Baron, LLP
Claims:
What is claimed is:

1. A method of monitoring computer network activity comprising: reporting a selected network activity by a plurality of remote devices using a frequency moment Fp determined in accordance with
Fpimip where p represents an order of the frequency moment of 0, 1, or 2, i representing the selected network activity, and mi representing a dataset comprising a frequency associated with the selected network activity i from the plurality of remote devices; and providing a notification in response to Fp≧τ, where τ is a threshold value in response to the order of the frequency moment being 2, the frequency moment F2 being calculated in two phases of rounds, sketch algorithms being calculated to determine an estimate of a current norm of vectors, the plurality of remote devices sending a bit to a coordinator in response to a local vector exceeding a pre-determined bit threshold, the sketches being collected from each of the plurality of remote devices in response to receiving a pre-determined number of bits; causing the estimate of the current frequency moment F2 to exceed a pre-determined fraction of a global threshold in response to a summation of the sketches, dividing each round into sub-rounds, where each sub-round is completed on the receipt of a pre-determined threshold of a number of bits; transmitting an approximate sketch to the coordinator on the completion of each sub-round; initiating a new sub-round in response to the approximate sketch being less than a pre-defined threshold; changing an output value of the coordinator; and terminating the algorithm in response to the approximate sketch being equal to or exceeding the pre-defined threshold.

2. The method of claim 1, wherein p=0 and F0 corresponds to the number of distinct elements in dataset mi.

3. The method of claim 1, wherein p=1 and F1 corresponds to the sum of all elements in dataset mi.

4. The method of claim 1, wherein p=2 and F2 corresponds to the square of the frequency of each element in dataset mi.

5. The method of claim 1, wherein the coordinator collects information from the plurality of remote devices at the end of each round which summarizes the data received at the plurality of remote devices.

6. The method of claim 5, wherein the information collected by the coordinator comprises a sum or sketch of data values.

7. The method of claim 5, wherein the coordinator determines that the global threshold has been reached based on a combination of summaries.

8. The method of claim 1, wherein each of the plurality of remote devices device monitors a function associated with the network activity and a function of a device connected to the network, and sends a bit to the coordinator when the value of the function increases above a pre-determined threshold.

9. The method of claim 1, where the plurality of remote devices monitor a function of the network activity and a function of a device connected to the network; where the plurality of remote devices send a bit to the coordinator in response to the value of the function increasing above a pre-determined threshold, the coordinator completing a round after receiving a pre-determined number of bits from the plurality of remote devices, the coordinator collecting information from the plurality of remote devices at the end of each round, the information summarizing the data received at the plurality of remote devices, the summary information comprising a sum or sketch of data values, the coordinator determining that a global threshold has been reached based on a combination of summaries.

10. The method of claim 1 for monitoring F1, the plurality of remote devices waiting until a pre-determined number of elements are received and then simulating the tossing of a biased coin, with true randomness or with a pseudo-random number generator, the plurality of remote devices sending a bit to the coordinator in response to the result of the coin toss being heads; the coordinator determining that a global threshold has been reached in response to receiving a pre-determined quantity of bits from the remote devices.

11. The method of claim 1, wherein the frequency moment is F0, the frequency moment calculation proceeding in a single round, the plurality of remote devices randomly selecting one of two hash functions; the plurality of remote device evaluating the selected hash function based on data received associated with the selected network activity, the second hash function being evaluated in response to certain criteria are met in the first hash function; the hash value being sent to the coordinator in response to being initially observed by the remote site; and (c) the central coordinator reporting that a global threshold has been reached in response to the number of distinct hash values received exceeding a pre-determined number.

12. The method of claim 1, wherein the frequency moment is F2, F2 not exceeding a certain fraction of the global threshold at the completion of the first phase, and where, during the second phase, F2 monitoring until it is within a certain range of the global threshold.

13. A method of monitoring computer network activity comprising: reporting a selected network activity by a plurality of remote devices using a frequency moment Fp determined in accordance with
Fpimip where p represents an order of the frequency moment of 0, 1, or 2, i representing the selected network activity, and mi representing a dataset comprising a frequency associated with the selected network activity i from the plurality of remote devices; and providing a notification in response to Fp≧τ, where τ is a threshold value, wherein the frequency moment is F2, the frequency moment calculation proceeding in two phases of rounds, comprising (a) a first phase with one sub-round per round, wherein a coordinator collects sketches from each device with a communication cost based on the number of devices; (i) the coordinator ends the round and computes a new threshold of sketches required to end a round, in response to the number of sketches equaling or exceeding a pre-determined threshold; (ii) the calculation proceeding to phase two in response to the new threshold equaling or exceeding the previous threshold by a predetermined fraction, otherwise another round of the first phase is performed; and (iii) first phase rounds are performed until the threshold permits advancing to the second phase; and (b) a second phase wherein the coordinator collects sketches from remote sites with a communication cost based on the number of remote devices divided by an error factor; and where (i) the remote sites continuously monitor the selected activity, and transmit sketches to the coordinator in response to the activity exceeding a pre-defined threshold; and (ii) when the server receives a number of sketches equal to the number of remote devices, a sub-round is completed and the remote sites transmit an approximate sketch to the coordinator; (iii) the coordinator starts a new sub-round in response to the approximate sketch being less than or equal to a pre-defined threshold; (iv) the coordinator ending the round in response to the approximate sketch being greater than a pre-defined threshold, and the coordinator setting an output value to 1 and the method terminating in response to the number of sketches exceeding the threshold of sketches required to end the algorithm.

14. The method of claim 13, wherein the pre-determined fraction in steps (a)(i) and (a)(ii) is greater than 1.

15. A non-transient computer-readable storage medium storing instructions that, when executed by a processor, cause the processor to: report a selected network activity by a plurality of remote devices using a frequency moment Fp determined in accordance with
Fpimip where p represents an order of the frequency moment of 0, 1, or 2, i representing the selected network activity, and mi representing a dataset comprising a frequency associated with the selected network activity i from the plurality of remote devices; and provide a notification in response to Fp≧τ, where τ is a threshold value in response to the order of the frequency moment being 2, the frequency moment F2 being calculated in two phases of rounds, sketch algorithms being calculated to determine an estimate of a current norm of vectors, the plurality of remote devices sending a bit to a coordinator in response to a local vector exceeding a pre-determined bit threshold, the sketches being collected from each of the plurality of remote devices in response to receiving a pre-determined number of bits; cause the estimate of the current frequency moment F2 to exceed a pre-determined fraction of a global threshold in response to a summation of the sketches; divide each round into sub-rounds, where each sub-round is completed on the receipt of a pre-determined threshold of a number of bits; transmit an approximate sketch to the coordinator on the completion of each sub-round; initiate a new sub-round in response to the approximate sketch being less than a pre-defined threshold; initiate a change in an output value of the coordinator; and terminate the algorithm in response to the approximate sketch being equal to or exceeding the pre-defined threshold.

16. The computer readable storage medium defined by claim 15, storing instructions that, when executed by a processor, cause the coordinator to collect information from the plurality of remote devices at the end of each round which summarizes data received at the plurality of remote devices.

17. The computer readable storage medium defined by claim 16, wherein the information collected by the coordinator comprises a sum or sketch of data values.

18. The computer readable storage medium defined by claim 16, wherein the coordinator determines that the global threshold has been reached based on a combination of summaries.

19. The computer readable storage medium defined by claim 15, storing instructions that, when executed by a processor, cause each of the plurality of remote devices to monitor a function associated with the network activity and a function of a device connected to the network, and send a bit to the coordinator when the value of the function increases above a pre-determined threshold.

20. The computer readable storage medium defined by claim 19, storing instructions that, when executed by a processor, cause the coordinator to complete a round after receiving a pre-determined number of bits from the plurality of remote devices, the coordinator collecting information from the plurality of remote devices at the end of each round, the information summarizing the data received at the plurality of remote devices, the summary information comprising a sum or sketch of data values, the coordinator determining that a global threshold has been reached based on a combination of summaries.

Description:

FIELD OF THE INVENTION

This invention discloses continuous functional monitoring of distributed network activity using algorithms based on frequency moment calculations.

BACKGROUND

Functional monitoring problems are fundamental in distributed systems, in particular sensor networks, where minimization of communication is necessary. Functional monitoring also concerns problems in communication complexity, communication theory, and signal processing.

In traditional sensor systems such as smart homes and elsewhere, security sensors are carefully laid out and configured, and there is a convenient power source. The straightforward way to monitor a phenomenon is to take measurements every few time instants, send them to a central site, and use back-end systems to analyze the entire data trace.

In contrast, modern sensor networks, addressed in this invention, are more ad hoc and mobile. A modern sensor network may be distributed arbitrarily, operate on battery power, and have expensive bandwidth costs (e.g., via wireless communication). A battery operated device needs to conserve their power for long use between charging periods. Further, these sensors have some memory and computing power. Hence the sensors can perform local computations and be more careful in usage of radio for communication, since radio use is the biggest source of battery drain. In this scenario, collecting all the data from sensors to correctly calculate a function in the back-end is wasteful, and a direct approach is to design protocols which will trigger an alarm when a threshold is exceeded, and the emphasis is on minimizing the communication during the battery lifetime.

Moreover, even in a hard wired (i.e., not wireless) environment, there is a bandwidth cost to transmitting data, and minimization of communication of purely overhead functions is a generally desirable feature.

In this context, variations of functional monitoring have been proposed as “reactive monitoring” (in networking, see M. Dilman and D. Raz, “Efficient reactive monitoring,” IEEE Infocom, 2001), and “distributed triggers” (in databases, see G. Cormode and M. Garofalakis, “Sketching streams through the net: Distributed approximate query tracking,” Intl. Conf. Very Large Data Bases, 2005; G. Cormode, S. Muthukrishnan, and W. Zhuang, “What's different: Distributed, continuous monitoring of duplicate resilient aggregates on data streams,” Intl. Conf. on Data Engineering, 2006; and G. Comiode, S. Muthukrishnan, and W. Zhuang, “Conquering the divide: Continuous clustering of distributed data streams,” Intl. Conf. on Data Engineering, 2007).

Prior work has considered many different functions, and typically presents algorithms with correctness guarantees, but no nontrivial communication bounds. Some of the above work takes a distributed streaming approach where in addition to optimizing the bits communicated, the algorithms also attempt to optimize the space and time requirements of each of the sensors.

SUMMARY OF THE INVENTION

This invention provides a method for continuous distributed monitoring of computer network activity, focusing on frequency moments, given by formula (I).
Fpimip (I)
where Fp is frequency moment of order p, and mi is the frequency of item i from all sits.

Estimating the frequency moments has become the keystone problem in streaming algorithms since the seminal paper of Alon et al. (N. Alon, Y. Matias, and M. Szegedy. “The space complexity of approximating the frequency moments,” Journal of Computer and System Sciences, 58:137-147, 1999). In particular, the first three frequency moments (p=0, 1, 2) are useful in this invention. F1 is a simple summation of all elements. F0 corresponds to the number of distinct elements, and F2 is based on the square of the number of elements. All three have applications to a wide variety of monitoring situations in order to test when a certain value passes a critical threshold, such as system load in a distributed system.

In one aspect of this invention, network devices are programmed to report a particular network function to a network manager (i.e., a person), where the decision to transmit the report is based on a frequency moment calculation performed locally on the reporting device. By careful selection of the parameters of the calculation, a minimum amount of data can be reported that provides a pre-selected degree of timeliness and accuracy to the network manager. The transmission of a report to a person alerts that person to a situation on the network, for example, a certain percentage of network errors. On being alerted, a manager can take, for example, remedial steps to correct a problem or otherwise address the situation, which if left unattended, could cause a deterioration in network conditions, in a set of circumstances where human intervention is required.

In another aspect of this invention, frequency moment calculations are employed to report network statistics, such as how many packets are routed, where the packets originate geographically, where they are addressed geographically, or how many malformed packets have been transmitted. For any such statistical parameter, the decision to make a report is based on frequency moment calculations performed on a local device, such as a router or server.

In another aspect of this invention, the reports from local devices, computed with a frequency moment calculation, are transmitted to a network manager, which can make a decision on a course of action. The network manager can be a server which makes an automated decision, for example to bypass a malfunctioning router. Alternatively, a report can be made to a work station where a person can make manual changes.

In an embodiment of this invention, a method for continuous distributed monitoring of computer network activity is provided, with a computer network including a central coordinator computer and a set of distributed remote devices, wherein the central coordinator computer monitors and reports on network activity; selecting a network activity of interest; programming remote devices to report on the selected activity according to a frequency moment calculation, as noted above. In some embodiments, p≧1 and the frequency moment algorithm proceeds in two or more rounds. In further embodiments, each remote device monitors a function of the selected network activity, and sends a bit to a central coordinator when the value of the function increases above a pre-determined threshold. In a related aspect, each remote device monitors a function of a device connected to the network, and sends a bit to a central coordinator when the value of the function increases above a pre-determined threshold.

In another aspect of this invention, the frequency moment algorithm proceeds in two or more rounds, where each remote device monitors a function selected from the selected network activity and a function of a device connected to the network; and each remote device sends a bit to a central coordinator when the value of the function increases above a pre-determined threshold, and the coordinator completes a round after receiving a pre-determined number of bits from the set of remote devices, and the coordinator collects information from all remote devices at the end of each round, where said information summarizes the data received at each remote device, and the summary information is in the form of a sum or sketch of data values, and where the coordinator determines that a global threshold has been reached based on a combination of summaries.

In another aspect of this invention, F1 is monitored, where the frequency moment calculation proceeds in a single round, and where each remote device waits until it receives a pre-determined number of elements and then simulates the tossing of a biased coin, with true randomness or with a pseudo-random number generator, and where the device sends a bit to the coordinator if the result of the coin toss is heads; and where the coordinator determines that a global threshold has been reached after receiving a pre-determined quantity of bits from the remote devices.

Where the frequency moment is F0, the frequency moment calculation may proceed in a single round. In such a case, each remote device randomly selects one of two hash functions f or g, and each device evaluates the selected hash function based on data received on the selected network activity, and the second hash function is evaluated only if certain criteria are met in the first hash function; and where, if an item with the same hash value has not already been observed by the remote site, then that hash value is sent to the coordinator; and the central coordinator reports that a global threshold has been reached when the number of distinct hash values received exceeds a pre-determined number.

Where the frequency moment is F2, the algorithm may proceed in two phases of rounds, which are in turn divided into sub-rounds. In this case, the remote devices and coordinator use sketch algorithms to estimate the current L2 norm of vectors to varying levels of accuracy, and where each round uses a pre-determined threshold so that each device sends a bit to the coordinator when its local updates during the current round have an L2 noun which exceeds this threshold; and

    • (a) where in the first phase, the coordinator collects sketches from each device after receiving a pre-determined number of bits; and
    • (b) if the summation of the sketches causes the estimate of the current global F2 to exceed a pre-determined fraction of the global threshold, then the method proceeds to the second phase, where the second phase comprises the division of each round into sub-rounds, where each sub-round is completed on the receipt of a pre-determined threshold of a number of bits; on the completion of each sub-round, each remote site transmits an approximate sketch to the coordinator; if the approximate sketch is less than a pre-defined threshold, anew sub-round is initiated; if the approximate sketch is equal to or exceeds a pre-defined threshold, the coordinator changes its output to and terminates the algorithm.

In another aspect involving the frequency moment is F2, the frequency moment calculation proceeds in a two phases of rounds, where F2 does not exceed a certain fraction of the global threshold at the completion of the first phase, and where, during the second phase, F2 is monitored until it is within a certain range of the global threshold.

In another aspect involving the frequency moment is F2, the algorithm employs two phases of rounds. In the first phase, there is one sub-round per round, and the coordinator collects sketches from each device with a communication cost based on the number of devices;

    • (i) if the number of sketches equal or exceeds a pre-determined threshold, the coordinator ends the round and computes a new threshold of sketches required to end a round;
    • (ii) if the new threshold equals or exceeds the previous threshold by a pre-determined fraction, then the calculation proceeds to phase two, otherwise another round of the first phase is performed; and
    • (iii) first phase rounds are performed until the threshold permits advancing to the second phase.

In the second phase, the coordinator collects sketches from remote sites with a communication cost based on the number of remote devices divided by an error factor; and where

    • (i) the remote sites continuously monitor the selected activity, and transmit sketches to the coordinator if the activity exceeds a pre-defined threshold; and
    • (ii) when the server receives a number of sketches equal to the number of remote devices, a sub-round is completed and the remote sites transmit an approximate sketch to the coordinator;
    • (iii) if the approximate sketch is less than or equal to a pre-defined threshold, the coordinator starts a new sub-round;
    • (iv) if the approximate sketch is greater than a pre-defined threshold, the coordinator ends the round, and if the number of sketches exceeds the threshold of sketches required to end the algorithm, the coordinator changes its output to 1 and the algorithm is terminated. In this aspect, the pre-determined fraction noted above is greater than 1, for example, 9/8 or 5/4.

This invention further discloses a method for raising an alarm in a computer network with a set of remote reporting devices and a coordinator server, wherein the coordinator server has an initial output of 0, with continuous distributed monitoring of a function on the network or a function at a remote device. The continuous distributed monitoring comprises:

    • (a) a series of rounds and a set of frequency vectors;
    • (b) a predefined threshold at which a remote device reports a bit to the coordinator if the frequency vectors exceed a pre-defined threshold; and
    • (c) where the coordinator changes its output to 1 if a pre-determined number of bits is received by the coordinator, and where the change in output constitutes an alarm on the network.

The method of raising an alarm in the aforementioned paragraph may further constitute an alarm that alerts a person to a situation on the network, or alternatively, the alarm may alert an automated process to a situation on the network.

DETAILED DESCRIPTION

As described herein, continuous distributed functional monitoring problems are “(k, ƒ, τ, ε)” problems, where k represents the number of players, ƒ is a function, τ is a threshold, and ε is an error factor. In the broadest sense, a (k, ƒ, τ, ε) problem is designed to change its output, such as raising an alarm, when a threshold τ is reached, where the players are observed continually and in real time.

In this invention, (k, ƒ, τ, ε) problems can be used to supervise and monitor computer networks, and generate reports in real time based on a pre-selected network function. An important feature in network supervision, monitoring, and control is balancing the accuracy of network reports, the timeliness of the reports, and the bandwidth usage required to make sufficient reports.

The purpose of providing real time reports is to make rapid changes to correct problems or fine tune network performance in real time, to minimize network slowdowns or stoppages, and increase performance. For example, if an excess load is detected of traffic entering a network, such as at a rush hour, additional devices can brought online to handle the load, or lower priority activities can be stopped to handle higher priority traffic.

In this invention, aggregate network functions are observed that are amenable to statistical analysis, such as network load, origin or destination of packets, and error rates. As such, a certain amount of error in the accuracy of reports can be tolerated. Thus, in an aspect of this invention, a pre-determined error factor can be employed, such as a 1% or a 10% error rate, within which errors are acceptable.

In any network reporting function, minimization of bandwidth is an important objective. Any reporting function can be considered an overhead activity, so the object of a reporting activity is to transmit the minimum amount of information necessary to make reports that meet the pre-determined parameters of accuracy and timeliness. Minimizing bandwidth is especially desirable in wireless or battery powered devices, where transmission of data consumes power and contributes to depletion of batteries.

As an illustration of the parameters of this invention, consider a simple case where there are two observers, Alice and Bob, who watch goods entering or leaving a warehouse through separate doors, and a manager, Carol. Alice and Bob do not speak with each other, but each observer has a two way communication channel with Carol. The objective of this system is to design a system to minimize the communication of each observer with Carol, while at the same time providing Carol with real time and accurate information on the flow of goods in an out of the warehouse. Mathematically, this can be expressed as |C(t)|=|A(t)|+|B(t)|, where t is time, and C(t) is a monitoring function. If bA(t) is the total number of bits sent from Alice to Carol, and bB(t) is the total number of bits sent from Bob to Carol, then the goal is to minimize b(t), where bt=bA(t)+bB(t).

In the most trivial case, Alice and Bob simply send a report (bit) every time an item enters or leaves the warehouse. In this case, bt=|A(t)|+|B(t). Of greater interest is the more complex case, where given ε, Carol's task is to output 0 whenever C(t)≦(1−ε)τ, and to output 1 whenever C(t)>τ, for a threshold τ. Put differently, if the threshold is exceeded, an alarm is raised.

Several communication procedures in principle can achieve the goal of providing reports while minimizing communication between the observers and the manager (the manager is also referred to herein as a coordinator). A simple method is a coin toss, where, for example, Alice and Bob each flip a coin each time an item enters the warehouse and send Carol a report when the coin shows heads.

Another procedure is the “GLOBAL” method, where Alice and Bob know a rough estimate of Δ=τ−C(t′) from some prior time t′, and each observer sends a bit whenever the number of items they have observed exceeds Δ/2. Carol updates Alice and Bob with estimates when she gets a bit update and the new value of Δ is computed and used.

Another procedure is the “LOCAL” method, where Alice and Bob each create a model for arrival times of items and communicate the model parameters to Carol. The observers send bits to summarize differences when their current data significantly differs from their models.

This invention discloses functional monitoring problems generally in which there are k≧2 sites, and we wish to monitor C(t)=ƒ(A1(t)∩ . . . ∩Ak(t)) where Ai(t) is the multiset of items collected at site i by time t, and ƒ is a monotonically nondecreasing function in time. There are two variants: threshold monitoring (determining when C(t) exceeds a threshold τ) and value monitoring (providing a good approximation to C(t) at all times t). Value monitoring directly solves threshold monitoring, and running O((1/ε) log T) instances of a threshold monitoring algorithm for thresholds τ=1, (1+ε), (1+ε)2, . . . , T solves value monitoring with relative error 1+ε. Thus, the two variants differ by at most a factor of O(1/ε) log T). This disclosure will focus on threshold monitoring, which will be referred to as (k, ƒ, τ, ε) problems.

Thus, in one aspect, this invention provides a set of methods for monitoring particular functions of distributed data. For example, consider monitoring the number of malformed packets observed by a collection of routers in a large network, and wishing to raise an alert if the number of such packets exceeds some large quantity, say one million. This invention allows this to be monitored using an amount of communication which is much smaller than simply alerting a central monitor for every observed bad packet (very costly), while also avoiding periodic polling of routers for values (also costly, and potentially slow to respond). The communication cost of this monitoring is tightly bounded, while guaranteeing very high accuracy. In comparison to solutions to similar problems described in the literature, our solutions offer significantly less communication (up to an order of magnitude less and minimal computation power.

Accordingly, this invention is concerned with monitoring a function over a distributed set of computing devices and associated inputs. While the inventors have given solutions to such problems in the past, the methods and apparatus presented here apply to the same problems and present significant improvements in the cost of the monitoring. For example, consider a network of routers each observing their local traffic, where the network manager wishes to compute some function over the global traffic. Alternatively, consider a sensor network monitoring environmental conditions, such as stock in a warehouse or battlefield conditions. The function being monitored could simply be a sum of values observed, a count of the number of distinct objects observed globally, or the root-mean-square of a large number of values. Prior work (including work of that of the inventors here) has addressed these problems and given solutions which reduce the communication over the simple solution of pushing every single piece of information up to a centralized location.

In another aspect, this invention is applicable to situations where exact answers are unnecessary, such as reports of aggregate network performance or approximate error rates. In these types of reports, approximations with accuracy guarantees suffice. Thus, the functions of the invention have a built in error factor, ε. The use of a report of approximate data with an accuracy guarantee allows a tradeoff between accuracy and communication cost, i.e., bandwidth and processing resources required for the report.

In another aspect, this invention is useful for reporting on complex network functions. In the case of simple functions, periodic polling can often suffice. Thus, SNMP can poll traffic at a coarse granularity. However, a sampling method such as a periodic poll cannot effectively report on a holistic aggregate of data, such as data on network performance or error rates. An approach to reporting aggregate data is to carefully balance the period of polling with the communication cost of the report. Too infrequent polling will cause unnecessary delays in event observations. Too frequent polling has high communication costs, including high bandwidth usage. An additional problem with too frequent polling could lie in remote battery powered sensors that require battery power to send data, perhaps wirelessly. Overly frequent reports will deplete the batteries needlessly.

The methods of this invention address these concerns by intelligently reducing communications to the minimum bandwidth necessary to provide guaranteed error rates and guaranteed rapid response to events.

In signal processing, the emerging area of compressed sensing redefines the problem of signal acquisition as that of acquiring not the entire signal, but only the information needed to reconstruct the few salient coefficients using a suitable dictionary. These results can be extended to (k, ƒ, τ, ε) problems where the function is the salient coefficients needed to reconstruct the entire signal. See S. Muthukrishnan, “Some algorithmic problems and results in compressed sensing,” Allerton Conference, 2006. Further, the Muthukrishnan paper extended compressed sensing to functional compressed sensing where we need to only acquire information to evaluate specific functions of the input signal. Except for preliminary results in Muthukrishnan for quantiles, virtually no results are known for (k, ƒ, τ, ε) problems.

In computer science, there are communication complexity bounds that minimize the bits needed to compute a given function ƒ of inputs at any particular time over k parties. They do not, however, minimize the bits needed continuously over the entire time. These bounds are one-shot problems. The central issue in the continuous problems disclosed here is how often, and when, to repeat parts of such protocols over time to minimize the overall number of bits transferred.

The “streaming model” (see Alon et al., cited above) has received much attention in recent years. There are many functions ƒ that can be computed up to 1±ε accuracy in streaming model, using poly(1/ε, log n) space. This includes streaming algorithms for problems such as estimating frequency moments. There have been several works in the database community that consider the streaming model under the distributed setting, which is essentially the same as the model disclosed here. Subsequently several functional monitoring problems have been considered in this distributed streaming model, but the devised solutions typically are heuristics-based, the worst-case bounds are usually large and far from optimal. See G. Cormode and M. Garofalakis, “Sketching streams through the net: Distributed approximate query tracking,” Intl. Conf. Very Large Data Bases, 2005; G. Corrnode, M. Garofalakis, S. Muthukrishnan, and R. Rastogi, “Holistic aggregates in a networked world: Distributed tracking of approximate quantiles,” ACM SIGMOD Intl. Conf. Management of Data, 2005; G. Cormode, S. Muthukrishnan, and W. Zhuang, “Conquering the divide: Continuous clustering of distributed data streams,” Intl. Conf. on Data Engineering, 2007; and R. Keralapura, G. Cormode, and J. Ramamirtham, “Communication-efficient distributed monitoring of thresholded counts,” ACM SIGMOD Intl. Conf. Management of Data, 2006. In this disclosure, improved upper bounds for some basic functional monitoring problems are provided.

Accordingly, on one aspect, this invention provides a method for continuous distributed monitoring of computer network activity, focusing on frequency moments, given by formula (I).
Fpimip (I)
where Fp is frequency moment of order p, and mi is the frequency of item i from all sites.

Estimating the frequency moments has become the keystone problem in streaming algorithms since the seminal paper of Alon et al. (cited above). In particular, the first three frequency moments, where p=0, 1, or 2 are useful in this invention. Briefly, F1 represents a simple summation of all elements, F0 corresponds to the number of distinct elements, and F2 is based on the square of the number of elements, and has found many applications such as surprise index, join sizes, etc.

Frequency moment calculations have previously been applied to analysis of data in databases, such as characteristics and distribution of data in large data sets. See, for example, Faloutsos et al., in U.S. Pat. No. 5,758,338, and Alon, et al. in U.S. Pat. No. 5,950,185.

Table 1 summarizes the results of bounds presented in this method. The method of the present invention employs the continuous bounds, particularly the upper bounds, since an objective of the instant invention is minimization of data transfer at the upper bound necessary to convey the necessary information with the smallest amount of data transfer. This method is mainly concerned with minimizing the communication cost of reporting aggregate network functions.

TABLE 1
Summary of the communication complexity for one-shot and continuous threshold monitoring of
different frequency moments. The “randomized” bounds are expected communication bounds for
randomized algorithms with failure probability δ < ½
ContinuousOne-shot
MomentLower boundUpper boundLower boundUpper bound
F0, randomizedΩ(k) Õ(kɛ2) Ω(k) Õ(kɛ2)
F1, deterministic Ω(klog1ɛk) O(klog1ɛ) Ω(klog1ɛk) O(klog1ɛ)
F1, randomized Ω(min{k,1ɛ}) O(min{klog1ɛ·1ɛ2log1δ}) Ω(k) O(klog1ɛk)
F2, randomizedΩ(k) Õ(k2/ɛ+(k/ɛ)3) Ω(k) Õ(kɛ2)

For the (k, F1, τ, ε) problem, this method shows the deterministic bounds of O(k log 1/ε) and Ω(k log 1/εk)1; and randomized bounds of Ω(min{k, 1/ε}) and O(1/ε2 log 1/δ), independent of k, where δ is the algorithm's probability of failure. Hence, randomization can give significant asymptotic improvement, and curiously, k is not an inherent factor. These bounds improve the previous result of O(K/ε log τ/k) in the paper by R. Keralapura, G. Cormode, and J. Ramamirtham, “Communication-efficient distributed monitoring of thresholded counts,” ACM SIGAIOD Intl. Conf. Management of Data, 2006.

For the (k, F0, τ, ε) problem, this method shows a (randomized) upper bound of O(k/ε2), which improves on the previous result of O(k23 log n log 1/δ), presented in the paper by G. Cormode, S. Muthukrishnan, and W. Zhuang “What's different: Distributed, continuous monitoring of duplicate resilient aggregates on data streams,” Intl. Conf. on Data Engineering, 2006. This method also gives a lower bound of Ω(k).

For the (k, F2, τ, ε) problem, this method presents an upper bound of Õ(k2/ε+(k−2/ε)3), improving on the previous result of Õ(k24) published by G. Cormode and M. Garothlakis, “Sketching streams through the net: Distributed approximate query tracking,” Intl. Conf. Very Large Data Bases, 2005. This method also gives a lower bound of Ω(k). The algorithm is a more sophisticated form of the “GLOBAL” algorithm (see above), with multiple rounds, using different “sketch summaries” at multiple levels of accuracy. The Õ notation suppresses logarithmic factors in n, k, m, t, 1/ε, and 1/δ.

Problem Formulation

Consider a sequence of elements A=(a1, . . . , am), where aiε{1, . . . , n}. Let mi=|{j:aj=i}| be the number of occurrences of i in A, and define the p-th frequency moment of A as Fp(A)=Σni=1mpi for each p≧0. In the distributed setting, the sequence A is observed in order by k≧2 remote sites S1, . . . , Sk collectively, i.e., the element ai is observed by exactly one of the sites at time instance i. There is a designated coordinator that is responsible for deciding if Fp(A)≧τ for some given threshold τ. Determining this at a single time instant t yields a class of one-shot queries, but in this invention, the interest is in continuous monitoring (k, ƒ, τ, ε) queries, where the coordinator must correctly answer over the collection of elements observed thus far (A(t)), for all time instants t.

In the approximate version of these problems, for a parameter where 0<ε≦¼, the coordinator should output 1 to raise an alert if Fp(A(t))≧τ and output 0 if Fp(A(t))≦(1−ε)τ. If Fp is in between, the coordinator can answer either output, but will not change the output from the previous time t. Since the frequency moments never decrease as elements are received, the continuous-monitoring problem can also be interpreted as the problem of deciding a time instance t, at which point we raise an alarm, such that t1≦t≦t2, where t1=arg mint{Fp(A(t))>(1−ε)τ} and

t2=arg mint{Fp(A(t))≧τ}. The continuous algorithm terminates when such at is determined.

We assume that the remote sites know the values of τ, ε, and n in advance, but not m. The cost of an algorithm is measured by the number of bits that are communicated. We assume that the threshold τ is sufficiently large to simplify analysis and the bounds. Dealing with small τ's is mainly technical: we just need to carefully choose when to use the naive algorithm that simply sends every single element to the coordinator.

A simple observation implies that the continuous-monitoring problem is almost always as hard as the corresponding one-shot problem: for any monotone function ƒ, an algorithm for (k, j, τ, ε) functional monitoring that communicates g(k, n, m, τε) bits implies a one-shot algorithm that communicates g(k, n, m, τ, ε)+O(k) bits.

General Algorithm for Fp where p≧1

This is a general algorithm based on each site monitoring only local updates. The algorithm gives initial upper bounds, which we improve for specific cases in subsequent sections. Upper hounds are more important than lower hounds in this invention, since our goal is to minimize communication traffic at the upper bound of a given function.

The algorithm proceeds in multiple rounds, based on the generalized GLOBAL method, where the network manager updates the remote devices in real time with parameters on which the decision to make a report are based. Thus, whenever the coordinator receives a report, the remote devices are iteratively updated, changing the threshold required to make a report.

Let ui be the frequency vector (m1, . . . , mn) at the beginning of round i. In round i, every site keeps a copy of ui and a threshold ti. Let vij be the frequency vector of recent updates received at site j during round i. Whenever the impact of vij causes the Fp moment locally to increase by more than ti (or multiples thereof), the site informs the coordinator. After the coordinator has received more than k such indications, it ends the round, collects information about all k vectors vij from sites, computes a new global state ui+1, and distributes it to all sites.

More precisely, the round threshold is defined as t1=½ (τ−∥uipp)k−p, chosen to divide the current “slack” uniformly between sites. Each site j receives a set of updates during round i, which we represent as a vector vij. During round i, whenever └∥ui+vijpp/ti′ increases, site j sends a bit to indicate this (if this quantity increases by more than one, the site sends one bit for each increase). This formula means that ∥ui+vijpp/ti is rounded down to the nearest whole integer. Sending a bit only when ∥ui+vijpp/ti increases by a whole integer ensures the necessary accuracy with fewer messages sent from sites j to the coordinator than if a message was sent every time the referenced quantity changed. After the coordinator has received k bits in total, it ends round i and collects vij (or some compact summary of vij) from each site. It computes ui+1=uikj=1vij, and hence ti+1, and sends these to all sites, beginning round i+1. The coordinator changes its output to 1 when ∥uipp≧(1−ε/2)τ, and the algorithm terminates.

Consider the case where p=1. The upper bound is O(k log 1/ε) messages of counts being exchanged. In fact, we can give a tighter bound: the coordinator can omit the step of collecting the current vij's from each site, and instead just sends a message to advance to the next stage. The value of ti is computed simply as 2−1-iτ/k, and the coordinator has to send only a constant number of bits to each site to signal the end of round i. Thus, we obtain a bound of O(k log 1/ε) bits. This an easier calculation than the scheme presented in R. Keralapura, G. Cormode, and J. Ramamirtham, “Communication-efficient distributed monitoring of thresholded counts,” ACM SIGMOD Intl. Coni Management of Data, 2006, which used an upper bound of O(k/ε log τ/κ).

Next, consider the case of p=2. In order to concisely convey information about the vectors vij we make use of “sketch summaries” of vectors. See Alon, et al., cited above. These sketches have the property that (with probability at least 1−δ) they allow F2 of the summarized vector to be estimated with relative error ε, in O(1/ε2) log τ log 1/δ) bits. We can apply these sketches in the above protocol for p=2, by replacing each instance of ui and vij with a sketch of the corresponding vector. Note that we can easily perform the necessary arithmetic to form a sketch of ui+vij and hence find (an estimate of) ∥ui+vij22. In order to account for the inaccuracy introduced by the approximate sketches, we must carefully set the error parameter ε′ of the sketches. Since we compare the change in ∥ui+vij22 to ti, we need the error given by the sketch—which is ε′∥ui+vij22—to be at most a constant fraction of ti, which can be as small as (εr)/2. Thus we need to set ε′=O(ε/k2). Putting this all together gives the total communication cost of Õ(k62).

Randomized/Improved Bounds for F1

The simplest case is monitoring F1, which is the sum of the total number of elements observed. As noted above, O(k log 1/ε) bits is a deterministic algorithm for monitoring F1. Thus, any deterministic algorithm that solves (k, F1, τ, ε) functional monitoring has to communicate Ω(k log (1/εk)) bits.

A randomized algorithm can be shown for (k, F1, τ, ε) functional monitoring with error probability at most δ that communicates O((1/ε2) log(1/δ)) bits. The algorithm is derived from a careful implementation of the coin toss procedure, with an error probability of ⅓. By running O(log 1/δ) independent instances and raising an alarm when at least half of the instances have raised alarms, we amplify to success probability 1−δ, as required. Every time a site receives ε2τ(ck) elements, where c is some constant to be determined later, it sends a signal to the coordinator with probability 1/k. The server raises an alarm as soon as it has received c/ε2−c/(2ε) such signals, and terminates the algorithm. Choosing c=96 makes both probabilities at most ⅙, as desired.

A randomized algorithm is better than a deterministic algorithm for a large enough ε. In addition, for any e<¼, any probabilistic protocol for (k, F1, τ, ε) functional monitoring that errs with probability smaller than ½ has to communicate Ω(min {k, 1/ε}) bits in expectation.

Bounds for F0

We know that the F1 problem can be solved deterministically and exactly, by setting ε=1/τ, and communicating O(k log τ) bits. For any p≠1, the same arguments of Proposition 3.7 and 3.8 in Alon et al. (cited above) apply to show that both randomness (Monte Carlo) and approximation are necessary for the Fp problem in order to get solutions with communication cost better than Ω(n) for any k≧2. So we only need to consider probabilistic protocols that err with some probability δ.

For monitoring F0, we can generalize the sketch published by Z. Bar-Yossef, T. S. Jayram, R. Kumar, D. Sivakumar, and L. Trevisan, “Counting distinct elements in a data stream,” RANDOM, 2002, in a distributed fashion.

The basic idea is that, since the F0 sketch changes “monotonically”, i.e., once an entry is added, it will never be removed, we can communicate to the coordinator every addition to all the sketches maintained by the individual sites. Thus, for any ε≦¼, n≧k2, any probabilistic protocol for (k, F0, τ, ε) functional monitoring that errs with probability smaller than ½ has to communicate Ω(k) bits in expectation.

In this model, there is a randomized algorithm for the (k, F0, τ, ε) functional monitoring problem with error probability at most δ that communicates O(k(log n+(1/e2) log (1/ε)) bits. An algorithm can be shown with an error probability of ⅓. This can be driven down to δ by running O(log 1/δ) independent copies of the algorithm.

If t is defined as the integer such that 48/ε2≦τ/2t<96/ε2, the coordinator first picks two random pairwise independent hash functions f:[n]→[n] and g:→[6·(96/ε2)2], and sends them to all remote sites. This incurs a communications cost of O(k(log n+log 1/ε))=O(k log n) bits. Next, each remote site evaluates ƒ(ai) for every incoming element ai, and tests of the last t bits of ƒ(ai) are all zeros. If so, the remote site evaluates g(ai). There is a local that contains all g( ) values for such elements. If g(ai) is not in the buffer, we add g(ai) to the buffer, and send it to the coordinator. The coordinator also keeps a buffer of all unique g( ) values received, and outputs 1 whenever the number of elements in the buffer exceeds (1−ε/2)τ/2t. Since each g( ) value takes O(log 1/ε) bits, the bound in the theorem easily follows.

Bounds for F2

The F2 monitoring algorithm has a communication cost of Õ(k2/ε+k3/2/e3). This is an improvement over the bound from the prior art, reported in G. Cormode and M. Garofalakis, “Sketching streams through the net: Distributed approximate query tracking,” Intl. Conf. Very Large Data Bases, 2005.

F2 presents a more complex situation than F0 or F1. The F2 algorithm has two phases in this method. At the end of the first phase, we make sure that the F2 is between ¾ τ and τ; while in the second phase, we more carefully monitor F2 until it is in the range ((1−ε)τ, τ).

Each phase is divided into multiple rounds. In the second phase, each round is further divided into multiple sub-rounds to allow for more careful monitoring with minimal communication. We use sketches such that with probability at least 1−δ, they estimate F2 of the sketched vector within 1±ε using O(1/ε2 log n log 1/δ) bits. See Alon, cited above. Initially, assume that all sketch estimates are within their approximation guarantees. At a later stage, δ will be set to ensure only a small probability of failure over the entire computation.

Algorithm. We proceed in multiple rounds, which are in turn divided into subrounds. Let ui be the frequency vector of the union of the streams at the beginning of the ith round, and û2i be an approximation of u2i. In round i, we use a local threshold ti=(τ−û2i)2/64 k2 τ. Let vijl be the local frequency vector of updates received at site j during subround l of round i, and let wilkj=1 vijl be the total increment of the frequency vectors in subround l of round i. During each (sub)round, each site j continuously monitors its v2ijl, and sends a bit to the server whenever [v2ijl/ti] increases.

Phase one. In phase one, there is only one subround per round. At the beginning of round i, the server computes a 5/4 overestimate û2i of the current u2i, i.e., u2i≦û2i≦5/4 u2i. This can be done by collecting sketches from all sites with a communication cost of O(k log n). Initially û2i=u2i=0. When the server has received k bits in total from sites, it ends the round by computing a new estimate û2i+1 for û2i+1. If û2i+1≧15/16 τ, then we must have u2i+1≧û2i+1/(5/4)≧¾ τ, so we proceed to the second phase. Otherwise the server computes the new ti+1, broadcasts it to all sites, and proceeds to the next round of phase one.

Phase two. In the second phase, the server computes a (1+ε/3)-overestimate û2i at the start of each round by collecting sketches from the sites with a communication cost of O(k/ε log n). The server keeps an upper bound û2i,l on u2i,l, the frequency vector at the beginning of the l-th subround in round i.

As above, during each sub-round, each site/continuously monitors its v2ijl, and sends a bit to the server whenever [v2ijl/ti] increases. When the server has collected k bits in total, it ends the sub-round. Then, it asks each site j to send a (1±½)-approximate sketch for v2ijl. If û2i,l+1+3 k∥û2i,t+1∥√ti<τ, then the server starts another sub-round, l+1. If not, then the round ends, and the server computes a new û2i+1 for u2i+1. If û2i+1≧(1−⅔ε)τ, the server changes its output to 1 and terminates the algorithm. Otherwise, it computes the new ti+1, sends it to all sites, and starts the next round.

CONCLUSIONS

For functional monitoring problems (k, ƒ, τ, ε), this work had the surprising results that for some functions, the communication cost is close to or the same as the cost for one-time computation of ƒ, and that the cost can be less than the number of participants, k. Our results for F2 make careful use of compact sketch summaries, switching between different levels of approximation quality to minimize the overall cost. These algorithms are more generally useful, since they immediately apply to monitoring L2 and L22 of arbitrary nonnegative vectors, which is at the heart of many practical computations such as join size, wavelet and histogram representations, geometric problems and so on. See G. Cormode and M. Garofalakis, “Sketching streams through the net: Distributed approximate query tracking,” Intl. Conf. Very Large Data Bases, 2005; and P. Indyk, “Algorithms for dynamic geometric, problems over data streams,” ACM Symp. Theory of Computing, 2004. Likewise, our F1 techniques are applicable to continuously track quantiles and heavy hitters of time-varying distributions. See G. Cormode, M. Garofalakis, S. Muthukrishnan, and R. Rastogi, “Holistic aggregates in a networked world: Distributed tracking of approximate quantiles,” ACM SIGMOD Intl. Conf. Management of Data, 2005.